Industry Insights

Office of Civil Rights Initiates Phase 2 of HIPAA Audits

Gary Moss

Director

Enterprise Risk Solutions

Telecommuting

In 2011, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) was designated to support a pilot audit program. The objectives of these Phase 1 audits were to assess the controls and processes implemented by covered entities under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act. These regulations were established to require the privacy of protected health information (PHI), security of electronic PHI and breach notification.

On March 31, 2014, the OCR announced its plan for the Phase 2 audits, revising its audit program to include areas such as security risk assessments, ongoing risk mitigation plans and breach notification procedures. This phase also will include business associates, in addition to covered entities.

The OCR recently announced it has initiated the Phase 2 audits. The process begins with verification of an entity’s address and contact information. An email will be sent to covered entities and business associates requesting that all contact information be provided to the OCR on a timely basis.

The next step will include the transmission of a pre-audit questionnaire designed to gather data about the potential auditees. Combined with other data, this information will be used to create potential auditee pools. Responding to this request is critical, since the OCR will use publicly available information if an entity doesn’t respond. Using this alternative information, the OCR still may select an entity for an audit or subject it to a compliance review. Note: Organizations should check their spam folders during the email notification process in case the OCR email is filtered or virus-protected.

As organizations continue to enhance their HIPAA programs to reduce the risk of PHI breaches and develop initiatives that will help prepare them for a potential OCR audit, these steps are key:

Perform comprehensive, periodic risk analyses

Maintain a current catalogue or repository of all business associate arrangements

Document encryption capabilities

Maintain updated, reviewed and approved HIPAA program and breach notification policies and procedures

Document all security training that’s been conducted

Maintain an inventory of all areas, including devices and databases, where PHI is stored

In the interest of being transparent about the audit process, the OCR’s updated protocols and audit program will be available on the agency’s website as the 2016 audit dates approach. These materials can be used by organizations to direct their internal self-audits as an additional component of their HIPAA compliance activities.